knot-1.6.8-bp152.4.3.1

- CVE-2017-11104: Fixed an improper implementation of TSIG protocol
  which could have allowed an attacker with a valid key name and
  algorithm to bypass TSIG authentication (bsc#1047841).
  Added knot-CVE-2017-11104.patch

- add knot-openssl-1.1+.patch
  * fix build with openssl 1.1+

- refreshed 0002-make-configure.ac-compatible-with-old-tools.patch
  to fix build

- update to 1.6.8
  - Zone size limit restriction for DDNS, AXFR, and IXFR
    (CVE-2016-6171)

- fix the sphinx buildrequires so we can build on sle12

- update to 1.6.7
  - Improvements:
  - IXFR: Log change of the zone serial number after the
    transfer.
  - RRL: Document operational impact of various settings.
  - RRL: Add support for zero slip (dropping of all limited
    responses).

- update to 1.6.6
  - Fix daemon startup systemd notification
  - Out-of-bound read in packet parser for malformed NAPTR records
    (LibFuzzer)
  - Add rosedb module
- enable rosedb
- refresh patches to apply cleanly again
  0001-loosen-openssl-dependency.patch
  0002-make-configure.ac-compatible-with-old-tools.patch

- skip silent rule in configure.ac to fix the SLE 11 build

- update to 1.6.5
  - Bugfixes:
  - Do not reload expired zones on 'knotc reload' and server
    startup
  - Fix rare race-condition in event scheduling causing delayed
    event execution
  - Fix skipping of non-authoritative nodes in NSEC proofs
  - Fix TC flag setting in RRL slipped answers
  - Disable domain name compression for root label for better
    compatibility
  - Log via journald only when running under systemd
  - Improve lookup of libsystemd build dependencies
  - Fix compilation warnings in endian conversion functions on
    OpenBSD
  - Features:
  - Update persistent timers only on shutdown for better
    performance
  - Add 'request-edns-option' config option to add custom EDNS0
    option into server initiated queries
  - Allow specification of time units in 'max-conn-idle',
    'max-conn-handshake', 'max-conn-reply', and 'notify-timeout'
    config options
- changes in 1.6.4
  - Bugfixes:
  - Fix lost NOTIFY message if received during zone transfer
  - Fix compilation error with LibreSSL
  - Disable fast zone parser when compiled in Clang (workaround
    for Clang bug)
  - kdig: Record correct dnstap SocketProtocol when retrying
    over TCP
  - kdig: Hide TSIG section with +noall
  - Do not set AA flag for AXFR/IXFR queries
  - Features:
  - Zone parser: Split long TXT/SPF strings into multiple
    strings
  - kdig: Add generic dump style option (+generic)
  - Try all master servers in multi-master environment
  - Improvements:
  - Zone dump: Do not write class for SOA record (unified with
    other RR types)
  - Zone dump: Do not write master server address into the zone
    file
- refresh patches to apply cleanly again
- sync spec file with knot2 spec file
  - use bcond_with for the systemd conditional
  - replace all occurences of %{name} with %{pkg_name}
  - removed duplicated libexecdir
  - also pass disable static and includedir

- local state dir should be just /var

- enable dnstap support for factory and newer:
  - new BR: protobuf-c and libfstrm-devel
- prepared lto support but not enabled yet, still need to find out
  which distros support it

- update to 1.6.3
  - Performance drop for NSEC-signed zones
  - Proper handling of TCP short-writes
  - Out-of-bound read in zone parser for long domain names in
    origin (AFL fuzzer)
  - Out-of-bound read in packet parser for TSIG RR without RDATA
    (AFL fuzzer)
  - Out-of-bound read in packet parser for malformed NAPTR RR (AFL
    fuzzer)
  - CDS and CDNSKEY support in zone parser
  - Add defaults for TCP config options into documentation
  - Detailed error message if zone reload fails
- refreshed patches to apply cleanly again:
  0002-make-configure.ac-compatible-with-old-tools.patch

- update to 1.6.2
  - Limiting number of parallel TCP clients (max-tcp-clients config
    option)
  - Ignore refresh and transfer events on non-slave zones
  - Compilation with Dnstap support on FreeBSD
  - Possible file descriptor leak when terminating inactive TCP
    clients
- refreshed patches to apply cleanly again:
  0002-make-configure.ac-compatible-with-old-tools.patch
- moved autoreconf -fi to %build so it wont be tried in quilt setup
  or similar tools
- move up the %if case for systemd in for the preun scriptlet to
  avoid warning about empty scripts on non systemd distributions.
- used xz tarball: new buildrequires xz

- Add deps on the docu packages to regen documentation
- Enable systemd integration fully
- Add dep on libidn
- Cleanup with spec-cleaner

- Only require lmdb-devel on (Open)SUSE 13.2 and higher

- Updated to 1.6.1
  Bugfixes:
  - Journal file would sometimes outgrow its set limit
  - Fixed incompatibility with OpenSSL 0.9.8
  - Proper handling when machine hostname cannot be retreived
  Features:
  - Support for DNSSEC Single Type Signing Scheme
- Compile with lmdb-devel to add support for persistent timers

- Updated to 1.6.0
  Bugfixes:
  - Fix zone expiration when AXFR/IXFR is being refused by master
  - Fix forced zone refresh on slave (knotc refresh -f)
  - Persistent timers database opening after privileges has been dropped
  - DNSSEC: RFC compliant processing of letter case in RDATA domain names
  - EDNS: Return minimal error response for queries with unsupported version
  - EDNS: Fix interpretation of Extended RCODE
  Improvements:
  - Maximal size of persistent timers database increased from 10 MB to 100 MB
  - Added logging of persistent timers database errors
  Features:
  - Persistent timers for slave zones (expire, refresh, and flush)

- Updated to 1.5.3
  Bugfixes:
  - Some specific incoming IXFRs were causing server to crash
  - Rare sychronization error during reload caused read-after-free
  - Response synthetization module did not work properly with DNSSEC-enabled zones
  - When Knot sent AXFR when IXFR was requested, message ID and opcode were wrong
  - Knot failed to send large messages to remote control (present since 1.5.1)
  - Some RR parsing corner cases were not handled properly
  - AXFR-style IXFR was refused and had to be retransfered
  - Hash character (#) was not properly escaped when storing text zone file
  - DNSSEC: DNAMEs in RDATA were not lowercased before signing
  - EDNS: OPT RR were not put into responsing for some errors
  - TSIG: DDNS responses were not signed with TSIG
  - DDNS: Prerequisite checks failed for some inputs
  - knsupdate: Zone origin was not used for deletions
  Features:
  - Basic support for logging using systemd journal
  - DDNS: Ability to process updates in bulk
  Improvements:
  - Unified logging messages structure
  - DNSSEC: More strict controls for signing keys
- Refreshed patches on top of 1.5.3 release:
  * 0001-loosen-openssl-dependency.patch
  * 0002-make-configure.ac-compatible-with-old-tools.patch

- Squash 0002-remove-AM_SILENT_RULES.patch and 0003-no-dist-xz.patch
  into 0002-make-configure.ac-compatible-with-old-tools.patch that
  removes configure.ac options incompatible with SLES_11_SP[23].
- added patches:
  * 0002-make-configure.ac-compatible-with-old-tools.patch
- removed patches:
  * 0002-remove-AM_SILENT_RULES.patch
  * 0003-no-dist-xz.patch

- Updated to 1.5.0
  Features:
  * DDNS forwarding reimplemented
  * edns-client-subnet support in kdig
  * Optional asynchronous startup (config "asynchronous-start")
  * Pluggable query processing modules
  * Synthetic IPv4/IPv6 reverse/forward records (optional module)
  * dnstap support in both utilities & server (optional module)
  * NOTIFY message support and new TSIG section in kdig
  * Multi-master support
  Improvements:
  * Transfer sizes logged in bytes if needed
  * Logging outgoing NOTIFY messages
  * Logging unauthorized incoming NOTIFYs
  * Preempt task queue for faster reload
  * Lazy zone file write after zone transfer (governed by "zonefile-sync")
  * Query processing and core functionality overhaul
  * Performance and reduced memory footprint
  * Faster zone events scheduling
  * RFC compliant queries/responses in some corner cases
  * Log messages
  * New documentation (Sphinx)
  Bugfixes:
  * Zone flush planning after bootstrap
  * Incorrect incoming AXFR message sizes
  * DDNS signing changes were freed too soon, posibility of stale data
  * knotc remote control key handling
  * Close zone transfer after SERVFAIL response
  * Incremental to full zone transfer fallback, wrong log message
  * Zone events corner cases, reload replanning

- updated to 1.4.7:
  * Fixed DDNS corner cases
  * Fixed zone EXPIRE timer
  * Fixed semantic checks false positives
  * Fixed sending malformed IXFR with automatic DNSSEC
  * Fixed NAPTR record serialization